summaryrefslogtreecommitdiff
path: root/ldap1.asciidoci
diff options
context:
space:
mode:
Diffstat (limited to 'ldap1.asciidoci')
-rw-r--r--ldap1.asciidoci213
1 files changed, 213 insertions, 0 deletions
diff --git a/ldap1.asciidoci b/ldap1.asciidoci
new file mode 100644
index 0000000..4c8b452
--- /dev/null
+++ b/ldap1.asciidoci
@@ -0,0 +1,213 @@
+== OpenLDAP Practical, Week 5 ==
+
+This practical is about installing and configuring an OpenLDAP LDAP server on
+our virtual machine. We want to setup it from source and link it with Berkeley
+DB backend.
+
+At the end of the practical, we should have a working LDAP
+directory reflecting more or less what we could have in the LDAP server of the
+university.
+
+=== Problem 1: Unsupported version of Java VM ===
+
+When running the './configure' command for the first time, it fails with
+
+ > checking if java works... configure: error: The Java VM java failed (see config.log, check the CLASSPATH?)
+
+After having a look inside 'config.log', we find this error:
+
+ > java.lang.UnsupportedClassVersionError unsupported major.minor version 51.0
+
+==== Resolution ====
+
+This exception ('unsupported major.minor version xx.y') arises when there is a
+version mismatch between the Java compiler and Virtual Machine. We verifiy this
+assertion by issuing the following commands and checking their output:
+
+ $ javac -version; java -version
+ > javac 1.7.0_65
+ > java version "1.6.0_33"
+
+The output confirms that something is messed up so we fix this error by
+removing the package 'openjdk-6-jre-headless' which was installed for some
+reason.
+
+=== Problem 2: schema files are read-only ===
+
+When willing to modify 'etc/openldap/schema/core.schema', it turns out that the
+file is actually read-only.
+
+==== Resolution ====
+
+It is actually not advisable to directly modify the default schema files
+present in 'etc/openldap/schema/'. Installing them read-only is a way to tell
+the user not to modify them because they are likely to be overriden by an
+automatic process (especially by running 'make install' again).
+
+In our case, instead of modifying 'schema/core.schema', we will extend our
+schema by creating a 'schema/local.schema' file and write our additional schema
+inside.
+
+Last but not least, we have to instruct 'slapd' to include this file by adding
+this line in 'slapd.conf' (after replacing '<PREFIX>' with slapd's
+configuration directory).
+
+ include <PREFIX>/schema/local.schema
+
+=== Problem 3: writing the proper command line to add the DIT ===
+
+Since we prefer using command line interfaces, we will use 'ldapadd' instead of
+'Jxplorer' to create our DIT. Thus we have to understand how to use 'ldapadd'
+properly.
+
+==== Resolution ====
+
+After having a glance at the manual page 'ldapadd (1)', we find out that:
+
+- the option '-W' tells 'ldapadd' to prompt for our password but we can also
+ supply it directly using '-w'.
+- the option '-D' allows us to pass the Distinguished Name
+- the option '-f' allows us to pass a LDIF file
+
+Thus, our command line can look something like:
+
+ $ ldapadd -w secret -D 'cn=Manager,c=gb' -f file.ldif
+
+=== Problem 4: writing the LDIF file ===
+
+To construct our DIT, we need to write its description in the LDIF file that we
+will pass to 'ldapadd'. The reason why the practical advise us to create the
+DIT using a LDAP browser is certainly because writing a LDIF file is rather
+tricky the first time.
+
+==== Resolution ====
+
+Though the manpage of 'ldapadd' gives us a basic example of LDIF file for
+adding an entry, it is rather insufficient.
+
+The documentation of OpenLDAP, especially the section _LDIF text entry format_
+available at the link below gives us more information, including an example
+with children and parent nodes.
+
+http://www.openldap.org/doc/admin24/dbtools.html#The%20LDIF%20text%20entry%20format
+
+After a few tries with different syntaxes, we finally get this error:
+
+ ldap_add: Invalid syntax (21)
+ additional info: objectClass: value #0 invalid per syntax
+
+Here, the 'objectClass' refered to is 'organisation'. The problem is that it is
+misspelled in the practical. The real class is actually 'organization' as
+stated here:
+
+http://www.zytrax.com/books/ldap/ape/
+
+The issue is actually the same with 'organisationalUnit' and
+'organisationalPerson'.
+
+At this point, our LDIF file looks something like:
+
+ dn: o=University of Kent,c=gb
+ objectClass: organization
+
+ dn: ou=MSc ISB,o=University of Kent,c=gb
+ objectClass: organizationalUnit
+
+ dn: cn=Olivier Gayot,ou=MSc ISB,o=University of Kent,c=gb
+ objectClass: organizationalPerson
+ objectClass: pkiUser
+ objectClass: pmiUser
+
+After trying to add it using 'ldapadd', the LDAP server sends us this error:
+
+ adding new entry "cn=Olivier Gayot,ou=MSc ISB,o=KENT,c=gb"
+ ldap_add: Object class violation (65)
+ additional info: object class 'organizationalPerson' requires attribute 'sn'
+
+What we understand here is that we need to add an extra attribute 'sn'. To
+figure out what it actually means, we can have a look in the file
+'schema/core.schema', especially this section:
+
+ attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' )
+ DESC 'RFC2256: last (family) name(s) for which the entity is known by'
+ SUP name )
+
+With that information, we can edit our LDIF file and supply our new attribute:
+
+ dn: o=University of Kent,c=gb
+ objectClass: organization
+
+ dn: ou=MSc ISB,o=University of Kent,c=gb
+ objectClass: organizationalUnit
+
+ dn: cn=Olivier Gayot,ou=MSc ISB,o=University of Kent,c=gb
+ objectClass: organizationalPerson
+ objectClass: pkiUser
+ objectClass: pmiUser
+ sn: Gayot
+
+By using the command line below, our DIT is successfully created (the option
+'-c' is used here because, without it, 'ldapadd' stops because our parent nodes
+have already been created)
+
+ $ ldapadd -w secret -D 'cn=Manager,c=gb' -f file.ldif -c
+
+=== Problem 5: Modifying an entry to add other classes ===
+
+To add new attributes (uid, password and role), to our freshly created user
+without deleting it, we need to modify its entry. Since 'ldapadd' does not
+permit to override an entry, we have to find another way.
+
+==== Resolution ====
+
+We start by having a look inside the schema files to figure out what classes
+and attributes we need to store our new informations.
+
+Here is a list of what we need:
+
+- an 'uidObject' class which requires a 'uid' attribute
+- a 'permisRole' attribute which we can be set to our desired value
+- a 'userPassword' attribute which will store a password in a non-plaintext format
+
+Then, by reading the manpage 'ldif (5)', we learn about the syntax of a LDIF file to
+modify an entry. In our case, we create another '.ldif' to handle our
+modification and add this content inside:
+
+ dn: cn=Olivier Gayot,ou=MSc ISB,o=University of Kent,c=gb
+ changetype: modify
+ add: objectClass
+ objectClass: uidObject
+ -
+ add: uid
+ uid: ojgg2
+ -
+ add: permisRole
+ permisRole: student
+ -
+ add: userPassword
+ userPassword: fooBar
+
+By running 'ldapmodify' the same way we used 'ldapadd', our entry is
+successfully modified.
+
+After reading the manpage 'ldapsearch (1)', we can check our result by issuing
+the command below and reading its output (only the interesting excerpt of the
+output is shown below).
+
+ $ ldapsearch -H ldap://csvm2C4E.kent.ac.uk -x -b 'c=gb' '(cn=Olivier Gayot)'
+
+ > # Olivier Gayot, MSc ISB, University of Kent, gb
+ > dn: cn=Olivier Gayot,ou=MSc ISB,o=University of Kent,c=gb
+ > objectClass: organizationalPerson
+ > objectClass: pkiUser
+ > objectClass: pmiUser
+ > objectClass: uidObject
+ > sn: gayot
+ > cn: Olivier Gayot
+ > uid: ojgg2
+ > permisRole: student
+ > userPassword:: Zm9vQmFy
+
+That's it! By the way, we can note that our password 'fooBar' is stored as
+'Zm9vQmFy' (its NT-OWF hashed format).
+